From da62e513e7645a42b9c7a3ed58004f3aba46dc54 Mon Sep 17 00:00:00 2001 From: aszlig Date: Fri, 22 Nov 2013 16:28:30 +0100 Subject: [PATCH] chromium: Update all channels to latest versions. This introduces version 31.0.1650.57 as the new version for the stable channel. Overview of the updated channels: stable: 30.0.1599.114 -> 31.0.1650.57 beta: 31.0.1650.34 -> 32.0.1700.19 dev: 32.0.1671.3 -> 33.0.1712.4 This drops the sandbox_userns_30.patch as version 30 is no longer stable. In addition, we had to patch out some references to /usr/bin/gcc in the bundled WebKit sources. Builds are passing and running fine. Signed-off-by: aszlig --- .../networking/browsers/chromium/default.nix | 13 +- .../browsers/chromium/sandbox_userns_30.patch | 293 ------------------ .../networking/browsers/chromium/sources.nix | 18 +- 3 files changed, 16 insertions(+), 308 deletions(-) delete mode 100644 pkgs/applications/networking/browsers/chromium/sandbox_userns_30.patch diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index fa91a877fdc0..87cdf673041a 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -46,16 +46,17 @@ let prePatch = "patchShebangs ."; - patches = singleton ( - if versionOlder version "31.0.0.0" - then ./sandbox_userns_30.patch - else ./sandbox_userns_31.patch - ); + patches = singleton ./sandbox_userns_31.patch; postPatch = '' sed -i -r -e 's/-f(stack-protector)(-all)?/-fno-\1/' build/common.gypi + '' + (if versionOlder version "32.0.0.0" then '' sed -i -e 's|/usr/bin/gcc|gcc|' third_party/WebKit/Source/core/core.gypi - '' + optionalString useOpenSSL '' + '' else '' + sed -i -e 's|/usr/bin/gcc|gcc|' \ + third_party/WebKit/Source/build/scripts/scripts.gypi \ + third_party/WebKit/Source/build/scripts/preprocessor.pm + '') + optionalString useOpenSSL '' cat $opensslPatches | patch -p1 -d third_party/openssl/openssl ''; diff --git a/pkgs/applications/networking/browsers/chromium/sandbox_userns_30.patch b/pkgs/applications/networking/browsers/chromium/sandbox_userns_30.patch deleted file mode 100644 index 9a412352c521..000000000000 --- a/pkgs/applications/networking/browsers/chromium/sandbox_userns_30.patch +++ /dev/null @@ -1,293 +0,0 @@ -commit 41510de6ae32e6161073992bd1243f7f33148a06 -Author: aszlig -Date: Thu May 16 14:17:56 2013 +0200 - - zygote: Add support for user namespaces on Linux. - - The implementation is done by patching the Zygote host to execute the sandbox - binary with CLONE_NEWUSER and setting the uid and gid mapping so that the child - process is using uid 0 and gid 0 which map to the current user of the parent. - Afterwards, the sandbox will continue as if it was called as a setuid binary. - - In addition, this adds new_user_namespace as an option in process_util in order - to set the UID and GID mapping correctly. The reason for this is that just - passing CLONE_NEWUSER to clone_flags doesn't help in LaunchProcess(), because - without setting the mappings exec*() will clear the process's capability sets. - - If the kernel doesn't support unprivileged user namespaces and the sandbox - binary doesn't have the setuid flag, the Zygote main process will run without a - sandbox. This is to mimic the behaviour if no SUID sandbox binary path is set. - - Signed-off-by: aszlig - -diff --git a/base/process/launch.h b/base/process/launch.h -index 45b1053..ce71418 100644 ---- a/base/process/launch.h -+++ b/base/process/launch.h -@@ -51,6 +51,7 @@ struct LaunchOptions { - new_process_group(false) - #if defined(OS_LINUX) - , clone_flags(0) -+ , new_user_namespace(false) - #endif // OS_LINUX - #if defined(OS_CHROMEOS) - , ctrl_terminal_fd(-1) -@@ -125,6 +126,9 @@ struct LaunchOptions { - #if defined(OS_LINUX) - // If non-zero, start the process using clone(), using flags as provided. - int clone_flags; -+ -+ // If true, start the process in a new user namespace. -+ bool new_user_namespace; - #endif // defined(OS_LINUX) - - #if defined(OS_CHROMEOS) -diff --git a/base/process/launch_posix.cc b/base/process/launch_posix.cc -index 52e149c..312f835 100644 ---- a/base/process/launch_posix.cc -+++ b/base/process/launch_posix.cc -@@ -37,6 +37,13 @@ - #include "base/threading/platform_thread.h" - #include "base/threading/thread_restrictions.h" - -+#if defined(OS_LINUX) -+#include -+#if !defined(CLONE_NEWUSER) -+#define CLONE_NEWUSER 0x10000000 -+#endif -+#endif -+ - #if defined(OS_CHROMEOS) - #include - #endif -@@ -416,13 +423,23 @@ bool LaunchProcess(const std::vector& argv, - - pid_t pid; - #if defined(OS_LINUX) -- if (options.clone_flags) { -+ int map_pipe_fd[2]; -+ int flags = options.clone_flags; -+ -+ if (options.new_user_namespace) { -+ flags |= CLONE_NEWUSER; -+ if (pipe(map_pipe_fd) < 0) { -+ DPLOG(ERROR) << "user namespace pipe"; -+ return false; -+ } -+ } -+ -+ if (options.clone_flags || options.new_user_namespace) { - // Signal handling in this function assumes the creation of a new - // process, so we check that a thread is not being created by mistake - // and that signal handling follows the process-creation rules. -- RAW_CHECK( -- !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM))); -- pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0); -+ RAW_CHECK(!(flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM))); -+ pid = syscall(__NR_clone, flags, 0, 0, 0); - } else - #endif - { -@@ -440,6 +457,21 @@ bool LaunchProcess(const std::vector& argv, - } else if (pid == 0) { - // Child process - -+#if defined(OS_LINUX) -+ if (options.new_user_namespace) { -+ // Close the write end of the pipe so we get an EOF when the parent closes -+ // the FD. This is to avoid race conditions when the UID/GID mappings are -+ // written _after_ execvp(). -+ close(map_pipe_fd[1]); -+ -+ char dummy; -+ if (HANDLE_EINTR(read(map_pipe_fd[0], &dummy, 1)) != 0) { -+ RAW_LOG(ERROR, "Unexpected input in uid/gid mapping pipe."); -+ _exit(127); -+ } -+ } -+#endif -+ - // DANGER: fork() rule: in the child, if you don't end up doing exec*(), - // you call _exit() instead of exit(). This is because _exit() does not - // call any previously-registered (in the parent) exit handlers, which -@@ -555,6 +587,40 @@ bool LaunchProcess(const std::vector& argv, - _exit(127); - } else { - // Parent process -+#if defined(OS_LINUX) -+ if (options.new_user_namespace) { -+ // We need to write UID/GID mapping here to map the current user outside -+ // the namespace to the root user inside the namespace in order to -+ // correctly "fool" the child process. -+ char buf[256]; -+ int map_fd, map_len; -+ -+ snprintf(buf, sizeof(buf), "/proc/%d/uid_map", pid); -+ map_fd = open(buf, O_RDWR); -+ DPCHECK(map_fd >= 0); -+ snprintf(buf, sizeof(buf), "0 %d 1", geteuid()); -+ map_len = strlen(buf); -+ if (write(map_fd, buf, map_len) != map_len) { -+ RAW_LOG(WARNING, "Can't write to uid_map."); -+ } -+ close(map_fd); -+ -+ snprintf(buf, sizeof(buf), "/proc/%d/gid_map", pid); -+ map_fd = open(buf, O_RDWR); -+ DPCHECK(map_fd >= 0); -+ snprintf(buf, sizeof(buf), "0 %d 1", getegid()); -+ map_len = strlen(buf); -+ if (write(map_fd, buf, map_len) != map_len) { -+ RAW_LOG(WARNING, "Can't write to gid_map."); -+ } -+ close(map_fd); -+ -+ // Close the pipe on the parent, so the child can continue doing the -+ // execvp() call. -+ close(map_pipe_fd[1]); -+ } -+#endif -+ - if (options.wait) { - // While this isn't strictly disk IO, waiting for another process to - // finish is the sort of thing ThreadRestrictions is trying to prevent. -diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc -index bb84e62..bce0d18 100644 ---- a/content/browser/zygote_host/zygote_host_impl_linux.cc -+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc -@@ -119,25 +119,31 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { - - sandbox_binary_ = sandbox_cmd.c_str(); - -- // A non empty sandbox_cmd means we want a SUID sandbox. -- using_suid_sandbox_ = !sandbox_cmd.empty(); -+ bool userns_sandbox = false; -+ const std::vector cmd_line_unwrapped(cmd_line.argv()); - -- if (using_suid_sandbox_) { -+ if (!sandbox_cmd.empty()) { - struct stat st; - if (stat(sandbox_binary_.c_str(), &st) != 0) { - LOG(FATAL) << "The SUID sandbox helper binary is missing: " - << sandbox_binary_ << " Aborting now."; - } - -- if (access(sandbox_binary_.c_str(), X_OK) == 0 && -- (st.st_uid == 0) && -- (st.st_mode & S_ISUID) && -- (st.st_mode & S_IXOTH)) { -+ if (access(sandbox_binary_.c_str(), X_OK) == 0) { -+ using_suid_sandbox_ = true; -+ - cmd_line.PrependWrapper(sandbox_binary_); - - scoped_ptr - sandbox_client(sandbox::SetuidSandboxClient::Create()); - sandbox_client->SetupLaunchEnvironment(); -+ -+ if (!((st.st_uid == 0) && -+ (st.st_mode & S_ISUID) && -+ (st.st_mode & S_IXOTH))) { -+ userns_sandbox = true; -+ sandbox_client->SetNoSuid(); -+ } - } else { - LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " - "configured correctly. Rather than run without sandboxing " -@@ -161,7 +167,19 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { - base::ProcessHandle process = -1; - base::LaunchOptions options; - options.fds_to_remap = &fds_to_map; -+ if (userns_sandbox) -+ options.new_user_namespace = true; - base::LaunchProcess(cmd_line.argv(), options, &process); -+ -+ if (process == -1 && userns_sandbox) { -+ LOG(ERROR) << "User namespace sandbox failed to start, running without " -+ << "sandbox! You need at least kernel 3.8.0 with CONFIG_USER_NS " -+ << "enabled in order to use the sandbox without setuid bit."; -+ using_suid_sandbox_ = false; -+ options.new_user_namespace = false; -+ base::LaunchProcess(cmd_line_unwrapped, options, &process); -+ } -+ - CHECK(process != -1) << "Failed to launch zygote process"; - - if (using_suid_sandbox_) { -diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc -index 1f0e9f5..ade5aab 100644 ---- a/content/zygote/zygote_main_linux.cc -+++ b/content/zygote/zygote_main_linux.cc -@@ -420,6 +420,13 @@ static bool EnterSandbox(sandbox::SetuidSandboxClient* setuid_sandbox, - *has_started_new_init = true; - } - -+ // Don't set non-dumpable, as it causes trouble when the host tries to find -+ // the zygote process (XXX: Not quite sure why this happens with user -+ // namespaces). Fortunately, we also have the seccomp filter sandbox which -+ // should disallow the use of ptrace. -+ if (setuid_sandbox->IsNoSuid()) -+ return true; -+ - #if !defined(OS_OPENBSD) - // Previously, we required that the binary be non-readable. This causes the - // kernel to mark the process as non-dumpable at startup. The thinking was -diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc -index 34231d4..36e3201 100644 ---- a/sandbox/linux/suid/client/setuid_sandbox_client.cc -+++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc -@@ -166,6 +166,10 @@ bool SetuidSandboxClient::IsInNewNETNamespace() const { - return env_->HasVar(kSandboxNETNSEnvironmentVarName); - } - -+bool SetuidSandboxClient::IsNoSuid() const { -+ return env_->HasVar(kSandboxNoSuidVarName); -+} -+ - bool SetuidSandboxClient::IsSandboxed() const { - return sandboxed_; - } -@@ -175,5 +179,9 @@ void SetuidSandboxClient::SetupLaunchEnvironment() { - SetSandboxAPIEnvironmentVariable(env_); - } - -+void SetuidSandboxClient::SetNoSuid() { -+ env_->SetVar(kSandboxNoSuidVarName, "1"); -+} -+ - } // namespace sandbox - -diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h -index a9f6536..2e8113a 100644 ---- a/sandbox/linux/suid/client/setuid_sandbox_client.h -+++ b/sandbox/linux/suid/client/setuid_sandbox_client.h -@@ -39,6 +39,8 @@ class SetuidSandboxClient { - bool IsInNewPIDNamespace() const; - // Did the setuid helper create a new network namespace ? - bool IsInNewNETNamespace() const; -+ // Is sandboxed without SUID binary ? -+ bool IsNoSuid() const; - // Are we done and fully sandboxed ? - bool IsSandboxed() const; - -@@ -46,6 +48,8 @@ class SetuidSandboxClient { - // helper. - void SetupLaunchEnvironment(); - -+ void SetNoSuid(); -+ - private: - // Holds the environment. Will never be NULL. - base::Environment* env_; -diff --git a/sandbox/linux/suid/common/sandbox.h b/sandbox/linux/suid/common/sandbox.h -index aad4ff8..bd710d5 100644 ---- a/sandbox/linux/suid/common/sandbox.h -+++ b/sandbox/linux/suid/common/sandbox.h -@@ -18,6 +18,7 @@ static const char kAdjustLowMemMarginSwitch[] = "--adjust-low-mem"; - - static const char kSandboxDescriptorEnvironmentVarName[] = "SBX_D"; - static const char kSandboxHelperPidEnvironmentVarName[] = "SBX_HELPER_PID"; -+static const char kSandboxNoSuidVarName[] = "SBX_NO_SUID"; - - static const long kSUIDSandboxApiNumber = 1; - static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ"; diff --git a/pkgs/applications/networking/browsers/chromium/sources.nix b/pkgs/applications/networking/browsers/chromium/sources.nix index aae71e8dfb60..8ee5752f4aca 100644 --- a/pkgs/applications/networking/browsers/chromium/sources.nix +++ b/pkgs/applications/networking/browsers/chromium/sources.nix @@ -1,18 +1,18 @@ # This file is autogenerated from update.sh in the same directory. { dev = { - version = "32.0.1671.3"; - url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-32.0.1671.3.tar.xz"; - sha256 = "0bv86ig3mrd95zh78880bcyh9b8w46s7slxq3mwwmrmqp0s8qaq0"; + version = "33.0.1712.4"; + url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-33.0.1712.4.tar.xz"; + sha256 = "1c1m0y3nnz2lclqi21j6hgqmb46p1hv7c22zz9fn7dax7jkimydk"; }; beta = { - version = "31.0.1650.34"; - url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-31.0.1650.34.tar.xz"; - sha256 = "0c73kvp09cmq4x42rcf45v0mnbyb8rcyi5i4pj0pvfn451vbngdq"; + version = "32.0.1700.19"; + url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-32.0.1700.19.tar.xz"; + sha256 = "0d0kgy160pyg472ka43gxk7n09pqhhs9nd93jyxrp9qsyllfc425"; }; stable = { - version = "30.0.1599.114"; - url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-30.0.1599.114.tar.xz"; - sha256 = "0q5pq8bj4y0c7hd121db1fa9g3apkpkhb6cf14ag7abgrda2pzw2"; + version = "31.0.1650.57"; + url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-31.0.1650.57.tar.xz"; + sha256 = "1xv7frf47hhvqm6f3n2l308yfrs4d8ri70q6pndx7hslhyiixzl9"; }; }